Replies: 3 comments 2 replies
-
|
Removing the PID prevents correlation with non-EDR data sources. As an example, apache by default provides a As for renaming Ideally, we should have both the PID and UID as required for process creation events, with a function for generating UIDs when the source does not provide it, eg f(device_id + timestamp + pid) |
Beta Was this translation helpful? Give feedback.
-
|
@awhite456 The OS PID should always be set on process creation event but due to limitations in OCSFs constraint system, we cant enforce this. This proposal is mostly for the other types of System Activity events where the endpoint tool may send its own interpretation of the PID instead on File Writes, Library Loading, etc. |
Beta Was this translation helpful? Give feedback.
-
|
Right ok, I can understand that. Will change my vote |
Beta Was this translation helpful? Give feedback.
-
|
Wrapping up this proposal. Everyone is in favor of changing the constraint but leaving |
Beta Was this translation helpful? Give feedback.
-
|
Even if the UID is sent, the PID should still be required. A process object without a PID is incomplete. |
Beta Was this translation helpful? Give feedback.
-
Problem
The process object that is used in almost every System Activity classes requires the Operating System PID to be set on every event. To combat PID reuse [1], most vendors with endpoint agents/tools generate their own Unique ID for a process and may send it instead on subsequent events (say a new library being loaded
Module Activityor a file being writtenFile System Activity).Solution
To solve this, we're recommending that PID be changed from required to recommended with a constraint that either
pidoruidbe set. In this week's triage call, we also talked about renaminguidwith an updated description change to make it more clear.References
6 votes ·
Beta Was this translation helpful? Give feedback.
All reactions